Table of Contents
Vault is a popular secret manager from Hashicorp. Using a Signed certificate to SSH to your server adds another layer of security. I created Vault Signed SSH Certificate Manager to allow other developers to SSH servers more securely.
Before you get started, you will need to have a number of things.
- Running Vault server
Installing SSH Manager Binary #
In order to be able to run
ssh-manager, we need to install the binary to the
local machine. For this, run the following go command to get the package.
go get -u github.com/omegion/vault-ssh
Let’s test that the binary is working:
If everything went well, you will see the CLI help as below:
❯ vault-ssh --help CLI command to manage SSH connections with Vault Usage: vault-ssh [command] Available Commands: certificate Manages certificates for SSH engine. enable Enables SSH Engine. help Help about any command role Manages roles for SSH engine. sign Signs given public key with SSH engine and role. version Print the version/build number Flags: -h, --help help for vault-ssh Use "vault-ssh [command] --help" for more information about a command.
Create SSH engine and role. #
- Enable a SSH engine in your Vault.
vault-ssh enable --path my-ssh-signer
- Generate a Certificate CA for the engine.
vault-ssh certificate create --engine my-ssh-signer
- Read created certificate to put on your server.
vault-ssh certificate read --engine my-ssh-signer
- Create a role for the engine.
vault-ssh role create --name omegion --engine my-ssh-signer
- Sign your public key with a role. The generated file will be written in
signed-key.pubin this example.
vault-ssh sign \ --role omegion \ --engine my-ssh-signer \ --public-key ~/.ssh/id_rsa.pub > signed-key.pub
- SSH your server with signed key.
ssh -i signed-key.pub -i ~/.ssh/id_rsa [email protected]
In this tutorial, we enabled SSH engine in Vault, then we generated CA certificate. We used the generated CA certificate to the server we want to SSH. Also, we created a role in Vault within the created engine with static configuration. Finally, we signed our SSH key with Vault then used a temporary CA certificate to SSH to the server.